package com.gitblit.ldap;

import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.utils.StringUtils;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.DereferencePolicy;
import com.unboundid.ldap.sdk.ExtendedResult;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPSearchException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustAllTrustManager;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/gitblit/ldap/LdapConnection.class */
public class LdapConnection implements AutoCloseable {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private IStoredSettings settings;
    private LDAPConnection conn;
    private SimpleBindRequest currentBindRequest;
    private SimpleBindRequest managerBindRequest;
    private SimpleBindRequest userBindRequest;

    public static final String escapeLDAPSearchFilter(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    sb.append("\\2a");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    public static String getAccountBase(IStoredSettings iStoredSettings) {
        return iStoredSettings.getString(Keys.realm.ldap.accountBase, "");
    }

    public static String getAccountPattern(IStoredSettings iStoredSettings) {
        return iStoredSettings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
    }

    public LdapConnection(IStoredSettings iStoredSettings) {
        this.settings = iStoredSettings;
        String string = iStoredSettings.getString(Keys.realm.ldap.username, "");
        String string2 = iStoredSettings.getString(Keys.realm.ldap.password, "");
        if (StringUtils.isEmpty(string) && StringUtils.isEmpty(string2)) {
            this.managerBindRequest = new SimpleBindRequest();
        }
        this.managerBindRequest = new SimpleBindRequest(string, string2);
    }

    public String getAccountBase() {
        return getAccountBase(this.settings);
    }

    public String getAccountPattern() {
        return getAccountPattern(this.settings);
    }

    public boolean connect() {
        try {
            URI uri = new URI(this.settings.getRequiredString(Keys.realm.ldap.server));
            String host = uri.getHost();
            int port = uri.getPort();
            if (uri.getScheme().equalsIgnoreCase("ldaps")) {
                this.conn = new LDAPConnection(new SSLUtil(new TrustAllTrustManager()).createSSLSocketFactory());
                if (port == -1) {
                    port = 636;
                }
            } else {
                if (!uri.getScheme().equalsIgnoreCase("ldap") && !uri.getScheme().equalsIgnoreCase("ldap+tls")) {
                    this.logger.error("Unsupported LDAP URL scheme: " + uri.getScheme());
                    return false;
                }
                this.conn = new LDAPConnection();
                if (port == -1) {
                    port = 389;
                }
            }
            this.conn.connect(host, port);
            if (!uri.getScheme().equalsIgnoreCase("ldap+tls")) {
                return true;
            }
            ExtendedResult processExtendedOperation = this.conn.processExtendedOperation(new StartTLSExtendedRequest(new SSLUtil(new TrustAllTrustManager()).createSSLContext()));
            if (processExtendedOperation.getResultCode() != ResultCode.SUCCESS) {
                throw new LDAPException(processExtendedOperation.getResultCode());
            }
            return true;
        } catch (URISyntaxException e) {
            this.logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
            return false;
        } catch (GeneralSecurityException e2) {
            this.logger.error("Unable to create SSL Connection", e2);
            return false;
        } catch (LDAPException e3) {
            this.logger.error("Error Connecting to LDAP", e3);
            return false;
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.conn != null) {
            this.conn.close();
        }
    }

    public BindResult bind() {
        try {
            BindResult bind = this.conn.bind(this.managerBindRequest);
            this.currentBindRequest = this.managerBindRequest;
            return bind;
        } catch (LDAPException e) {
            this.logger.error("Error authenticating to LDAP with manager account to search the directory.");
            this.logger.error("  Please check your settings for realm.ldap.username and realm.ldap.password.");
            this.logger.debug("  Received exception when binding to LDAP", e);
            return null;
        }
    }

    public BindResult bind(String str, String str2, String str3) {
        try {
            SimpleBindRequest simpleBindRequest = new SimpleBindRequest(StringUtils.replace(str, "${username}", escapeLDAPSearchFilter(str2)), str3);
            BindResult bind = this.conn.bind(simpleBindRequest);
            this.userBindRequest = simpleBindRequest;
            this.currentBindRequest = this.userBindRequest;
            return bind;
        } catch (LDAPException e) {
            this.logger.error("Error authenticating to LDAP with user account to search the directory.");
            this.logger.error("  Please check your settings for realm.ldap.bindpattern.");
            this.logger.debug("  Received exception when binding to LDAP", e);
            return null;
        }
    }

    public boolean rebindAsUser() {
        if (this.userBindRequest == null || this.currentBindRequest == this.userBindRequest) {
            return false;
        }
        try {
            this.conn.bind(this.userBindRequest);
            this.currentBindRequest = this.userBindRequest;
            return true;
        } catch (LDAPException e) {
            this.conn.close();
            this.logger.error("Error rebinding to LDAP with user account.", e);
            return false;
        }
    }

    public boolean isAuthenticated(String str, String str2) {
        verifyCurrentBinding();
        String bindDN = this.currentBindRequest.getBindDN();
        if (bindDN != null && bindDN.equals(str)) {
            return true;
        }
        boolean z = false;
        try {
            SimpleBindRequest simpleBindRequest = new SimpleBindRequest(str, str2);
            this.conn.bind(simpleBindRequest);
            z = true;
            this.userBindRequest = simpleBindRequest;
        } catch (LDAPException e) {
            this.logger.error("Error authenticating user ({})", str, e);
        }
        try {
            this.conn.bind(this.currentBindRequest);
        } catch (LDAPException e2) {
            this.logger.error("Error reinstating original LDAP authorization (code {}). Team information may be inaccurate for this log in.", e2.getResultCode(), e2);
        }
        return z;
    }

    public SearchResult search(SearchRequest searchRequest) {
        try {
            return this.conn.search(searchRequest);
        } catch (LDAPSearchException e) {
            this.logger.error("Problem Searching LDAP [{}]", e.getResultCode());
            return e.getSearchResult();
        }
    }

    public SearchResult search(String str, boolean z, String str2, List<String> list) {
        try {
            SearchRequest searchRequest = new SearchRequest(str, SearchScope.SUB, str2, new String[0]);
            if (z) {
                searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);
            }
            if (list != null) {
                searchRequest.setAttributes(list);
            }
            return search(searchRequest);
        } catch (LDAPException e) {
            this.logger.error("Problem creating LDAP search", e);
            return null;
        }
    }

    public SearchResult searchUser(String str, List<String> list) {
        return search(getAccountBase(), false, StringUtils.replace(getAccountPattern(), "${username}", escapeLDAPSearchFilter(str)), list);
    }

    public SearchResult searchUser(String str) {
        return searchUser(str, null);
    }

    private boolean verifyCurrentBinding() {
        SimpleBindRequest lastBindRequest = this.conn.getLastBindRequest();
        if (lastBindRequest == this.currentBindRequest) {
            return true;
        }
        this.logger.debug("Unexpected binding in LdapConnection. {} != {}", lastBindRequest, this.currentBindRequest);
        String bindDN = lastBindRequest.getBindDN();
        String bindDN2 = this.currentBindRequest.getBindDN();
        this.logger.debug("Currently bound as '{}', check authentication for '{}'", bindDN, bindDN2);
        if (bindDN2 == null || bindDN2.equals(bindDN)) {
            return true;
        }
        this.logger.warn("Unexpected binding DN in LdapConnection. '{}' != '{}'.", bindDN, bindDN2);
        this.logger.warn("Updated binding information in LDAP connection.");
        this.currentBindRequest = lastBindRequest;
        return false;
    }
}
